I’m developing an API_ONLY Smartthings integration and I’m stuck on the final step of creating a device (I want to create a virtual switch). I’ve successfully implemented the full OAuth 2.0 flow and my backend function receives a valid access token. However, any subsequent API call that requires specific permissions fails.
Here is a summary of my setup and the errors I’m seeing:
- App Type:
API_ONLY - Initial Goal: To create a virtual switch in a specific user location.
- Scope Requested:
r:devices:*, w:devices:*, x:devices:*, r:locations:* - Error 1: When a user tries to authorize the app, the flow fails immediately with a
Smartthings Auth Error: i:deviceprofilesif I include thei:deviceprofilesscope, orSmartthings Auth Error: r:locations:*if I include ther:locations:*scope. The platform explicitly rejects these permissions at the consent screen. - Current State: I’ve updated my app to only request
r:devices:*,w:devices:*, andx:devices:*. The token exchange now succeeds, but when I use that token to make aPOSTrequest tohttps://api.smartthings.com/v1/devices, the API returns a403 Forbiddenerror.
It seems like even though the user grants permission for devices, the resulting access token does not actually contain the w:devices:* scope needed to create a device. The platform seems to be ignoring the requested scopes for my API_ONLY app.
Has anyone else encountered a 403 Forbidden error when creating a device with an API_ONLY app, even when the token exchange is successful? Is there a known platform issue or a specific configuration I might be missing?
Any help or insight would be greatly appreciated. Thank you!